Malicious PDF — malware analysis report

Static analysis result for SHA-256 7999ab155e4ec02d…

MALICIOUS

PDF

82.2 KB Created: 2021-06-09 06:51:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 9335812c867710f59ba01ed5b75e5727 SHA-1: 98ef1a4fca88dc43519fffab9683effba98e8364 SHA-256: 7999ab155e4ec02de63fd3bc4e9317e1f5a9acd42f4e659d95fbf74db098452b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to external websites, many hosted on compromised CMS platforms, suggesting a phishing or malware distribution scheme. The presence of 'utm_term' parameters in some URLs further supports the idea of tracking user interactions with malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9057

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=full+ayatul+kursi+pdf PDF link annotation
    • https://dentinale.eu/wp-content/plugins/super-forms/uploads/php/files/5761692fe7a85ba0f940f846f248949c/rabokumexuluz.pdfIn PDF document text
    • https://graffitipaintstudio.com/wp-content/plugins/super-forms/uploads/php/files/4af2efe6bcd03b42c821885f0e7ed903/xesaxelopenomi.pdfIn PDF document text
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/160acb99caf58a---dixatakaluv.pdfIn PDF document text
    • http://friluftsgruppen.se/wp-content/plugins/formcraft/file-upload/server/content/files/160bf51d81e15a---dafiwexoxariboxowunivaxof.pdfIn PDF document text
    • https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/16089fdf63df80---95380233949.pdfIn PDF document text
    • https://www.yoursurveysurveyors.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160b48873557fa---xafobakafe.pdfIn PDF document text
    • https://cald-lighting.com/wp-content/plugins/super-forms/uploads/php/files/6dcf4d46a3d446a91836ecdb15561b93/tovap.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/fg854pdqrk4cr1o983n3flbj94/98325607506.pdfIn PDF document text
    • http://blackhorsesc.pl/userfiles/file/70626375934.pdfIn PDF document text
    • http://www.gametimecatering.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607620000791b---69995182016.pdfIn PDF document text
    • http://alexsrmenchion.com/clients/b/bf/bf5401b25fe3457642f5a6f1150d5537/File/jejibobapupelobano.pdfIn PDF document text
    • https://www.physioaktivkramer.de/wp-content/plugins/formcraft/file-upload/server/content/files/160984be61ae61---kigewujevilixotazubazu.pdfIn PDF document text
    • https://www.ergunaygoren.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ed0af31f99---81888758358.pdfIn PDF document text
    • https://yastudio.net/wp-content/plugins/super-forms/uploads/php/files/c1ff549467b0681e4d7cfba6d5ae372f/tiwoxulomon.pdfIn PDF document text
    • http://staresecurity.com/userfiles/file/vitulavororarulirup.pdfIn PDF document text
    • https://ecobox.eng.br/wp-content/plugins/super-forms/uploads/php/files/qv4ts19qi8l7plsqc4rkkok0tf/jijoweweme.pdfIn PDF document text
    • https://www.asahinafunnels.com/wp-content/plugins/super-forms/uploads/php/files/hv4cle3tipb4vcig0394gu2t9r/56957630278.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010cc7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CC7 7000 bytes
SHA-256: 54ea47d1788d274a57e285cf9020f2d857eef8d5d7d54aee237c0b9277f4040b
font_01_sfnt_off00011e5d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E5D 5156 bytes
SHA-256: 6e9d6a48f47d43e27066c95d02c3807fe08fd0a5ef06bfc73e122ee5418bfda0